[74521] in North American Network Operators' Group
Re: Blackhole Routes
daemon@ATHENA.MIT.EDU (Wayne E. Bouchard)
Thu Sep 30 14:44:27 2004
Date: Thu, 30 Sep 2004 11:43:42 -0700
From: "Wayne E. Bouchard" <web@typo.org>
To: Deepak Jain <deepak@ai.net>
Cc: Erik Haagsman <erik@we-dare.net>,
"Robert A. Hayden" <rhayden@geek.net>,
Abhishek Verma <abhishekv.verma@gmail.com>, nanog@merit.edu
In-Reply-To: <415C4D55.6030203@ai.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
> >It goes a little further than that these days. Folks are openly
> >allowing customers to advertize routes with something lika a 666
> >community which will then be blackholed within their network. So if
> >you're a service provider with your own blackhole system, you can
> >easily tie it into your upstream's system and dump the traffic many
> >hops away from you meaning that the traffic is getting dumped closer
> >to the source than the destination in a fair number of cases.
> >
>
> This is very dangerous however.....
>
> If providers start tying their customer's blackhole announcements to the
> provider's upstreams' blackhole announcements in an AUTOMATIC process,
> bad things <tm> are likely to happen. What happens when a customer of a
> provider mistakenly advertises more routes than he should [lets say
> specifics in case #1] you can flood your upstreams' routers with
> specifics and potentially cause flapping or memory overflows...
Yes, well, in my case, I go through a dedicated server with multi-hop
sessions and set a prefix limit of 25 or so so I don't get bombarded
with 5 billion /32 routes and don't send those routes upstream. (I try
to play nice when possible.) I expect that the upstreams have various
defense mechanisms of their own to protect them against me
misconfiguring my boxes as well. (It only makes sense..)
> In case #2, presumably the blackhole community takes precedence, so if a
> customer is mistakenly readvertising their multihome provider's table
> with a 666 tag, all of the upstream providers might be blackholing the
> majority of their non-customer routes.
If the customer does themselves in, thats not something I can really
protect against.
> Non-automatic tying of customer blackholes to upstream or peer
> blackholes is a powerful tool to improve the stability of the net as a
> whole.
Yes, but far too slow when you're getting DOSd off the face of several
planets.
---
Wayne Bouchard
web@typo.org
Network Dude
http://www.typo.org/~web/